svn commit: r286798 - head/sys/teken

[Ed Schouten]

Author: ed
Date: Sat Aug 15 08:42:33 2015
New Revision: 286798
URL: https://svnweb.freebsd.org/changeset/base/286798

Log:
  Stop parsing digits if the value already exceeds USHRT_MAX.
  
  There is no need for us to support parsing values that are larger than
  the maximum terminal window size. In this case that would be the maximum
  of unsigned short.
  
  The problem with parsing larger values is that they can cause integer
  overflows when adjusting the cursor position, leading to all sorts of
  failing assertions.
  
  PR:		202326
  Reported by:	kcwu csie org
  MFC after:	1 month

Modified:
  head/sys/teken/teken.c

Modified: head/sys/teken/teken.c
==============================================================================
--- head/sys/teken/teken.c	Sat Aug 15 08:29:13 2015	(r286797)
+++ head/sys/teken/teken.c	Sat Aug 15 08:42:33 2015	(r286798)
@@ -29,12 +29,14 @@
 #include <sys/cdefs.h>
 #if defined(__FreeBSD__) && defined(_KERNEL)
 #include <sys/param.h>
+#include <sys/limits.h>
 #include <sys/lock.h>
 #include <sys/systm.h>
 #define	teken_assert(x)		MPASS(x)
 #else /* !(__FreeBSD__ && _KERNEL) */
 #include <sys/types.h>
 #include <assert.h>
+#include <limits.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <string.h>
@@ -405,18 +407,21 @@ teken_state_numbers(teken_t *t, teken_ch
 	teken_assert(t->t_curnum < T_NUMSIZE);
 
 	if (c >= '0' && c <= '9') {
-		/*
-		 * Don't do math with the default value of 1 when a
-		 * custom number is inserted.
-		 */
 		if (t->t_stateflags & TS_FIRSTDIGIT) {
+			/* First digit. */
 			t->t_stateflags &= ~TS_FIRSTDIGIT;
-			t->t_nums[t->t_curnum] = 0;
-		} else {
-			t->t_nums[t->t_curnum] *= 10;
+			t->t_nums[t->t_curnum] = c - '0';
+		} else if (t->t_nums[t->t_curnum] < USHRT_MAX) {
+			/*
+			 * Screen positions are stored as unsigned
+			 * shorts. There is no need to continue parsing
+			 * input once the value exceeds USHRT_MAX. It
+			 * would only allow for integer overflows when
+			 * performing arithmetic on the cursor position.
+			 */
+			t->t_nums[t->t_curnum] =
+			    t->t_nums[t->t_curnum] * 10 + c - '0';
 		}
-
-		t->t_nums[t->t_curnum] += c - '0';
 		return (1);
 	} else if (c == ';') {
 		if (t->t_stateflags & TS_FIRSTDIGIT)